Back to Home

Data Processing Agreement

Effective Date: October 1, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and ThreadLock ("Processor," "we," "us," "our") and sets forth the terms under which we process personal data on your behalf.

This DPA applies to the processing of personal data in connection with the ThreadLock service and is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that you upload or submit to the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by ThreadLock to process Personal Data.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.

3. Scope and Role of the Parties

3.1 Controller and Processor: You are the Data Controller and ThreadLock is the Data Processor with respect to Personal Data processed through the Service.

3.2 Customer Instructions: ThreadLock will process Personal Data only in accordance with your documented instructions as set forth in this DPA and the Terms of Service, unless required to do so by law.

3.3 Scope of Processing: ThreadLock processes Personal Data to:

  • Provide the Service as described in the Terms of Service
  • Store and organize your journal entries and evidence
  • Generate AI-assisted content and suggestions
  • Create tamper-evident timestamps
  • Export documents in various formats
  • Ensure security and prevent fraud

4. Data Subject Rights

4.1 Assistance: ThreadLock will assist you in responding to Data Subject requests to exercise their rights under applicable data protection laws, including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure of data ("right to be forgotten")
  • Data portability
  • Restriction of processing
  • Objection to processing

4.2 Customer Responsibility: You are responsible for responding to Data Subject requests. ThreadLock will provide reasonable assistance and access to relevant Personal Data within 10 business days of your request.

5. Sub-processors

5.1 Current Sub-processors: You authorize ThreadLock to engage the following Sub-processors:

  • Google Cloud Platform (Firebase): Cloud hosting, database, authentication, and storage services
  • Stripe: Payment processing services
  • Vercel: Web hosting and content delivery

5.2 Sub-processor Requirements: ThreadLock ensures that all Sub-processors are bound by contractual obligations at least as protective as those in this DPA, including appropriate data protection and security measures.

5.3 Changes to Sub-processors: We will notify you of any intended changes to Sub-processors via email at least 30 days in advance. If you object to a new Sub-processor on reasonable data protection grounds, you may terminate the Service without penalty.

6. Security Measures

ThreadLock implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256)
  • Access controls and authentication
  • Regular security audits and testing
  • Employee training and confidentiality obligations
  • Incident response procedures
  • Secure backup and recovery processes

For more details, see our Security Policy.

7. Data Breach Notification

7.1 Notification: ThreadLock will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting your data.

7.2 Information Provided: The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm

7.3 Cooperation: ThreadLock will cooperate with you in investigating and resolving the breach, including providing reasonable assistance with any required notifications to Data Subjects or regulatory authorities.

8. International Data Transfers

8.1 Transfer Mechanisms: Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). ThreadLock ensures appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Contractual obligations with Sub-processors requiring equivalent protection

9. Audits and Compliance

9.1 Records: ThreadLock maintains records of processing activities as required by Article 30 of the GDPR.

9.2 Audit Rights: You have the right to audit ThreadLock's compliance with this DPA. Upon reasonable advance notice (at least 30 days), ThreadLock will:

  • Provide relevant documentation and information
  • Allow access to relevant systems and personnel
  • Cooperate with reasonable audit requests

Audits must not unreasonably interfere with our operations and are limited to once per year unless required by a regulatory authority or in response to a data breach.

10. Data Retention and Deletion

10.1 Retention: ThreadLock retains Personal Data as long as necessary to provide the Service and as required by law.

10.2 Deletion: Upon termination of your account or at your request, ThreadLock will delete or anonymize your Personal Data within 90 days, except where:

  • Required by law to retain the data
  • Data is stored in backup systems (which are deleted according to our backup retention schedule)
  • Needed for legitimate business purposes (e.g., fraud prevention, billing disputes)

11. Confidentiality

ThreadLock ensures that all personnel authorized to process Personal Data:

  • Are subject to confidentiality obligations
  • Receive appropriate training on data protection
  • Access Personal Data only as necessary to perform their duties

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

13. Term and Termination

This DPA remains in effect for as long as ThreadLock processes Personal Data on your behalf. Upon termination:

  • ThreadLock will cease processing Personal Data
  • At your choice, ThreadLock will return or delete all Personal Data
  • Deletion certificates can be provided upon request

14. DPA Template Download

If you need a fully executed Data Processing Agreement for your records or to meet compliance requirements, you can download our DPA template:

Download DPA Template (PDF)

After downloading, please complete the template with your organization's information, sign it, and return it to info@threadlock.ai for countersignature.

15. Contact Information

For questions about this DPA or data processing:

Email: info@threadlock.ai
Address: 16200 SW Pacific Hwy, Suite H PMB 1046, Tigard, OR 97224, United States

16. Related Policies